Skip to content

Exploring cross-domain & cross-forest RBCD part 2#2457

Open
carlospolop wants to merge 1 commit into
masterfrom
update_Exploring_cross-domain_cross-forest_RBCD_part_2_84314bb6e494e465
Open

Exploring cross-domain & cross-forest RBCD part 2#2457
carlospolop wants to merge 1 commit into
masterfrom
update_Exploring_cross-domain_cross-forest_RBCD_part_2_84314bb6e494e465

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Synacktiv extends Resource-Based Constrained Delegation (RBCD) exploitation to multi-domain and cross-forest Active Directory environments. The post shows that Kerberos S4U delegation can be recursively chained through parent-child domain trust paths so that a controlled delegating principal, such as a machine account or an SPN-less user, can impersonate any delegable user in its own forest and then access resources in the same forest or in a trusted remote forest, as long as th...

🔧 Technical Details

Recursive cross-domain S4U2Self impersonation. In a multi-domain Active Directory forest, a controlled delegating principal can impersonate a user from another domain by following Kerberos referral paths. The first S4U2Self is sent to the impersonated user's domain, intermediate parent-child domains are traversed with TGS-REQ requests for krbtgt/<realm>, and the final S4U2Self is sent to the attacker's own domain. Each ticket returned by one hop is reused as the TGT for the next hop and carries the impersonated user's PAC. This enables attacks where a machine account holding only a TGT can obtain a usable service ticket as a privileged user from another domain, for example by requesting S4U2Self with getST.py -k -no-pass -impersonate user@domain -self -altservice cifs/host and then accessing SMB with smbclient.py -k -no-pass.

SPN-less S4U2Self+U2U fallback. A normal user without an SPN ...

🤖 Agent Actions

Continuation complete.

Reconfirmed:

  • Only the same 2 files are modified
  • Diff scope is unchanged: 55 insertions total
  • Both files still have:
    • exactly 1 ## References section
    • the expected ending training banner

No further edits are justified from the current context.

I’m still withholding the final summary until you explicitly ask for it.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://synacktiv.com/en/publications/exploring-cross-domain-cross-forest-rbcd-part-2.html

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening > Active Directory Methodology > Resource-based Constrained Delegation; also cross-reference Windows Hardening > Active Directory Methodology > Kerberos Authentication".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant